From: Quinn Tran <qutran@xxxxxxxxxxx>
commit c7702b8c2271 ("scsi: qla2xxx: Get mutex lock before checking
optrom_state") fixed crash while reading optrom data by adding mutex
locking. However, there can be still case where previous WRITE for
optrom buffer failed and then read_optrom() is called with NULL
optrom_buffer. This patch fixes access to read optrom data if the
buffers are NULL.
following stack trace is seen in the log file
[3130734.630350] BUG: unable to handle kernel NULL pointer dereference at (null)
[3130734.630366] IP: [<ffffffff81287526>] memcpy+0x6/0x110
[3130734.630373] PGD 0
[3130734.630374] Oops: 0000 [#1] SMP
[3130734.630375] Modules linked in: iscsi_target_mod target_core_mod configfs ip_vs tcp_diag dccp_diag dccp inet_diag fuse nfsv3 nfs_acl nfsv4 auth_rpcgs>
[3130734.630401] hwmon dm_mirror dm_region_hash dm_log dm_mod ipv6 autofs4 [last unloaded: emcpioc]
[3130734.630404] CPU 9
[3130734.630407] Pid: 14513, comm: udevadm Tainted: PF O 3.8.13-118.10.2.el7uek.x86_64 #2 Oracle Corporation SUN SERVER X4-2 /ASSY,MB,X4-2>
[3130734.630409] RIP: 0010:[<ffffffff81287526>] [<ffffffff81287526>] memcpy+0x6/0x110
[3130734.630411] RSP: 0018:ffff88036c7a3e48 EFLAGS: 00010206
[3130734.630411] RAX: ffff880106b0f000 RBX: 0000000000001000 RCX: 0000000000001000
[3130734.630412] RDX: 0000000000001000 RSI: 0000000000000000 RDI: ffff880106b0f000
[3130734.630413] RBP: ffff88036c7a3e68 R08: 0000000000001000 R09: 0000000000000007
[3130734.630414] R10: 0000000000000004 R11: 0000000000000005 R12: ffff88036c7a3e78
[3130734.630414] R13: 0000000000001000 R14: ffff881fc96945e0 R15: ffff881fc7e99ba8
[3130734.630415] FS: 00007f5e245948c0(0000) GS:ffff881fff320000(0000) knlGS:0000000000000000
[3130734.630416] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[3130734.630417] CR2: 0000000000000000 CR3: 0000000106a88000 CR4: 00000000001407e0
[3130734.630418] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[3130734.630418] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[3130734.630419] Process udevadm (pid: 14513, threadinfo ffff88036c7a2000, task ffff880ee5820500)
[3130734.630420] Stack:
[3130734.630421] ffffffff811ad38c ffff881fc9694000 ffff880106b0f000 0000000000001000
[3130734.630424] ffff88036c7a3ea0 ffffffffa02dea5c 0000000000000000 ffff881014fd9540
[3130734.630427] ffff881010863dc0 ffff88036c7a3f50 0000000000001000 ffff88036c7a3f08
[3130734.630429] Call Trace:
[3130734.630435] [<ffffffff811ad38c>] ? memory_read_from_buffer+0x3c/0x60
[3130734.630445] [<ffffffffa02dea5c>] qla2x00_sysfs_read_optrom+0x9c/0xc0 [qla2xxx]
[3130734.630449] [<ffffffff811fe96f>] read+0xdf/0x1f0
[3130734.630454] [<ffffffff81187ff3>] vfs_read+0xa3/0x180
[3130734.630455] [<ffffffff81188299>] sys_read+0x49/0xa0
[3130734.630461] [<ffffffff810df3b6>] ? __audit_syscall_exit+0x1f6/0x2a0
[3130734.630467] [<ffffffff815874f9>] system_call_fastpath+0x16/0x1b
[3130734.630467] Code: 43 58 48 2b 43 50 88 43 4e 5b 5d c3 66 0f 1f 84 00 00 00 00 00 e8 fb fb ff ff eb e2 90 90 90 90 90 90 90 90 90 48 89 f8 48 89 d1 <>
[3130734.630485] RIP [<ffffffff81287526>] memcpy+0x6/0x110
[3130734.630486] RSP <ffff88036c7a3e48>
[3130734.630487] CR2: 0000000000000000
Fixes: c7702b8c2271 ("scsi: qla2xxx: Get mutex lock before checking optrom_state")
Cc: stable@xxxxxxxxxxxxxxx # 4.10
Signed-off-by: Quinn Tran <qutran@xxxxxxxxxxx>
Signed-off-by: Himanshu Madhani <hmadhani@xxxxxxxxxxx>
---
drivers/scsi/qla2xxx/qla_attr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
index 8d560c562e9c..0341f3340edb 100644
--- a/drivers/scsi/qla2xxx/qla_attr.c
+++ b/drivers/scsi/qla2xxx/qla_attr.c
@@ -275,7 +275,8 @@ qla2x00_sysfs_read_optrom(struct file *filp, struct kobject *kobj,
mutex_lock(&ha->optrom_mutex);
- if (ha->optrom_state != QLA_SREADING)
+ if ((ha->optrom_state != QLA_SREADING) ||
+ !buf || !ha->optrom_buffer)
goto out;
rval = memory_read_from_buffer(buf, count, &off, ha->optrom_buffer,
--
2.12.0
